tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clement Chong <ehch...@gmail.com>
Subject Re: Help: auth-constraint with Tomcat 6
Date Thu, 25 Jun 2009 01:55:54 GMT
Hi Tim,

Good suggestion! I'll look into it. I am in a situation where I'll prefer to
work on my own than to bother IT with LDAP role setup and subsequent access
granting to users. By having a JDBC Realm with a blacklist of users, I can
easily control the access.

I'll probably dig into the filter but I don't know java.. Any sample working
code with comments to modify would be great!


Thanks,
Clement

On Thu, Jun 25, 2009 at 2:59 AM, Tim Funk <funkman@apache.org> wrote:

> If you want a black list - it would probably be easier to write a filter
> [programmatic security] instead of declarative security. [At a minimum,
> everyone would still need to be authenticated - its the authorization which
> is done via the filter (actually the filter will defer to the realm so there
> isn't much extra work)]
>
> Ex:
> doFilter(req, resp, chain) {
>  if (req.isUserInRole("blacklist")) {
>    response.sendError(403);
>    return;
>  }
>  chain.doFilter(...);
> }
>
>
>
> -Tim
>
>
> Clement Chong wrote:
>
>> Hi Tim,
>>
>> Basically the first realm contains list of users we want to deny access.
>> The
>> password would be dynamic, making it difficult to get through. Well, maybe
>> I
>> should really consider working with specific roles. That is, grant users
>> with roles that would allow them access. Then I would probably just need a
>> single realm for authentication.
>>
>> However, this would mean almost all users require such a role granted
>> except
>> for some whom we like deny access. Then every new users would also
>> probably
>> need granted the role. A little extra work there, besides working with IT
>> to
>> get the new role setup.. A black list would work better than a white list
>> in
>> this case.
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message